Large computing environments can comprise a plurality of entities such as computing devices, user accounts and users. Computer devices are often called hosts. A host may also be a virtual computing device or a container such as a Linux™ container or equivalent within a physical computing device. Each host may comprise or be associated with one or more user accounts, processes, and/or files. Hosts, user accounts, and other entities in the environment may be associated with groups, e.g., user groups.
Various arrangements for accessing entities in computing environment by other entities can be configured. Example of these include web-based access, security protocol (e.g. secure shell protocol; SSH) based access, file transfer access, remote procedure call access, and/or software upgrade access. Such access may be used by, e.g., end users, automation, and/or by system administrators.
Many ways are of effectively configuring and/or gaining access to a particular entity such as a computing device or a set of computing devices can be employed. The different ways of configuring access include configuring by using local files on a server (possibly in combination with local clients on the client device), configuration information in directories (e.g., Active Directory, LDAP (Lightweight Directory Access Protocol) directories, NIS (Network Information System) directories), and/or databases. Many forms of configuration can be used simultaneously. Often configuration further relies on configuration data not necessarily perceived as a part of access configuration, such as DNS (Domain Name Service), DHCP (Dynamic Host Configuration Protocol), shared file system configuration, and even configuration of switches and routers in the network.
Access relationships can be formed between various entities. An access relationship is understood to refer to a relationship between a source entity and a destination entity such that the access from the source entity to the destination entity is permitted. Access relationships are hence sometimes called trust relationships.
Computer systems can provide information on access relationships between entities based on information of keys used by the entities. It is possible to collect information on keys, for example SSH (Secure Shell) keys, associate private keys with corresponding public keys, and visualize the resulting graph on a computer screen. However, known systems can suffer from scalability problems in their analysis and display of access relationships configured using e.g. SSH keys. Furthermore, known systems are not able to represent any other kinds of access relationships than the SSH key based relationships or combine such other relationships with SSH key based relationships.
Information of existing access relationships in an organization would often be desirable. For example, it can be of great importance for an organization or the like to be aware who can access what data and systems in the organization. Large organizations may have thousands, even more than a hundred thousand servers, and thousands or even millions of user accounts. This can be the case especially when counting in system-local service accounts. There is thus a need for solutions that for processing access information at sufficient scale, accuracy, and generality.